Orkut Social Application - An Alert Script trouble !

As been described here

" When one of my friends told this, I didn t take it very seriously. Because, what he told was not happening for me. What he told was  Hey G, whenever I come to your profile, a alert box appears with the name askoppal. Do you know who it is

Well, askoppal is my friend and is in my friends list, but nothing of that sort happened, because I was using opera then and scripts were blocked. But the interesting happened today morning when I used firefox, yes a alert box was indeed appearing when I visited my profile.

Primary Investigations showed me that there wasn t anything in the source that could be causing this. Then I went to askoppal s profile page and found that his profile name was
alert( askoppal )

and hence an alert box was appearing even in his profile page. But why in mine?

So what I did was I changed my title to a similar one.
alert( Jithin K.Rajeev )
And then I observed that even my name too was displayed in the alert box, but two times it appeared and then askoppal s name.

Now the question was, is there any possibility of compromising your account using this bug. If yes, has anyone already started exploiting this bug? I posted my thoughts at Hacker s Library. And Vipul responded back in my scrapbook. (I don t think I can recreate the conversation here as he keeps his scrap book empty.L.) Anyway let me see.

These are Vipul s perspective about how this bug can be exploited.

You can successfully make an XSS attack using the TypeRacer app s bug.

How about a link to an external script.
Actually name field has limited letters, so you can simply so is we can connect it via external scripts. But still, it s not good to have such a flaw!

The basic of XSS is if you re able to execute scripts on a remote machine using a bug from a live site.
We can just publish that malicious scripts can be executed in orkut can cause a  Man in Middle attack.

How are we able to execute script?
In what ways, one way is by typing in the First Name - Last name fields.

It s just working with profile name, nothing else.
Actually the profile name flashes in the TypeRacer app, that s why!

Then I tried using document.cookie in the script (javascript:alert( document.cookie ) when executed in your address bar displays the cookies set.) But the outcome was a blank alert box. This means that document.cookie did not carry any value. It was null, when executed via TypeRacer app.

To this Vipul replied

How about the spammers?
They can make fake accounts and add themselves in typeracer and then they put the redirection script to advertisement sites and can gain profits. A script hosted on a different server which contains the bunch of those click fraud URLs.

Then after some profile surfing, I found that it was irritating at times to have a bunch of alerts, in profile having TypeRacer app. It seems that JavaApplet can be executed via similar scripting. In a community discussion, I found the code which claimed to be  a orkut trojan

http://f4.filecrunch.com/files/20080512/cd347c7536557e269ff599fb5756fd9a/hi3.js

What this code does shall be discussed later. It basically mails your cookies and transfers your communities. But using latest firefox and ie7 avoids session and cookie hijacks and for transferring communities, the password is now required. So there isn t any possibility of account and community hijack. Only some irritating scripts might run. Well, use firefox with NoScript addon installed, to avoid all problems.

Best Solution : Remove TypeRacer App at least till the problem is resolved by the brains behind the application. And do use Firefox with NoScript addon."

Be Smart:Be Different -- Graphics that represent you!

  
Now Orkut allows Images and html code on Scrap, many friends asking me to give nice website for collection of animation, images, etc..

So I decided to suggest some animation sites service providers, try the links below

Image Generators: imageGenerator.net provides you with an easy way to add text to various images, allowing you to create a funny picture, or to illustrate a joke. You can save these pictures online and send them to your friends, or show them on your favorite message board or website.

Animation Factory: 500,000 Animations, Animated Clip art, Motion Designs for Video, PowerPoint, Flash, Websites, E-mail and more!. Use our unique animations, Flash designs, video elements, PowerPoint templates, sounds, music, and backgrounds to bring your projects to life! Become a member of Animation Factory and immediately start downloading from our huge library. Hundreds of new items added every week.

Best Animations: Best Animations is a collection of free animated gifs found on the web. Except where indicated with an asterisk all animated gifs are believed to be free to use. If an asterisk appears next to an animation then you must check the copyright restrictions posted on the site linked at the bottom of the page where the animation appears. Please notify the webmaster if you see a copyrighted animation that is not credited.

Animation Library: the NEW Animation Library, a site featuring over 13,748 free animations for you to use on your website or send as digital postcards using our powerful Postcard Station. While you are browsing the Animation Library, you can listen to great music by using the Jukebox. To navigate our site, just use the Links in the menu below and on the sidebar to select animation you want to see. Enjoy your visit!

Gif animations: This is the Internet's original and largest collection of free animated GIFs. Right here, you have access to more than 20,000 animations, clipart and backgrounds. Price tags are not included and no registration is ever necessary. You can put this site on your browser's Favorites menu right now. Just press CTRL + D (works for most browsers). Then come back often to check out the new images that have been added.

Free animations: All the animations are free to download and use on your websites, emails and desktops. Many of the free animations and graphics have been created by the Webmaster, so you know you are getting original images. The 3D Words and messages are especially interesting. These have been created by the Webmaster using several types of software as listed in the disclaimer.

Animation Gold: large collection of free animation and clipart that you can download for free. Our archive of animation and clipart includes lots of new animated gifs and clipart you've probably never seen before. We will continue to make new animation and add it to our site. Click the free animation link at the left and it will take you to our animation page where you will find the animation menu listed by category.

Animation Central: Welcome to animation central where we serve up hundreds of free animations on the best free animated gif archive on the net today.

fg-a.com: Everything Needed To Build Or Enhance Your Web Site.
Browse for Animated Gifs, Clipart, Animations, Backgrounds and more

Animation station: best animations, backgrounds, graphics on net

Zwani: No Popups... No Spyware... No Spam! Just 1000's of Comments & Graphics To Use Everyday! Zwani.com is THE place to get all of the comments and graphics you could ever need for use on Myspace, friendster, Hi5, Myeeos, your website, friends blog or any other place you want to add a little comment or graphic. From comments and quotes to backgrounds, page codes and glitter graphics we have it all!

Pimp Hi5: this site provides Hi5 comments, glitters, animation, graphics, layouts, backgrounds, icons, falling hearts and many one

and you can find more website on Google search. Just click here...
If you like my work then hope good for this site..thats all this site requires..